If you are a client or partner, make sure to log in to see all content. If you are a SFMC customer, log in to your account to access the Return Path Platform and Help Center.

What is the General Data Protection Regulation (GDPR) and how does it affect you?

This document is being provided for informational purposes only. Nothing in this document shall be construed as creating a representation, legal advice, warranty or commitment, contractual or otherwise, by Return Path, Inc., or any affiliate of Return Path, to you or any other person or entity. It also does not guarantee that your email and/or any other aspect of your business is in compliance with state, federal, or International laws. Return Path makes no representation, warranty or commitment that any message you send to end users will be delivered. This document is not a substitute for, should not be used in place of, and should not be considered, legal advice. It is recommended that you contact your general or legal counsel.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation, or GDPR, is the European Economic Area (EEA) regulation adopted on May 24, 2016 with a goal to harmonize, modernize and strengthen data privacy and processing policies across Europe. GDPR replaces Directive 95/46/EC (the ‘Data Protection Directive’) which is out of date due to evolving technology standards.

GDPR requirements will be enforced starting on May 25, 2018. It requires organizations to diligently protect personal data, as well as provide proof about how that data is protected.

GDPR sets a high standard for consent, which will have a huge impact on the marketing industry. Customers will need to be given choice and control over how their data is handled. To comply, you’ll need to know how the GDPR defines personal data, where it’s located in your business, how it’s used, who can access it, and much more.

Does the GDPR affect you?

The GDPR affects ANY business that collects, processes, stores, and uses data from people residing in the EEA. It affects you whether your organization has EEA headquarters or not, or if the processing itself takes place in or outside of the EEA. This means that whether you have European headquarters, or if you are only a firm with offices or customers in Europe, you need to adopt new practices to ensure full compliance with this regulation.

Marketing teams will be the first to be affected by these new changes, as they are one of the main players when it comes to data processing. Your data collection and processing strategies will have to be unambiguous and communicated to all users and subscribers.

You may also have to appoint a Data Protection Officer (DPO), who will be responsible for informing and advising the person in charge of your data processing, as well as monitoring your company's compliance with the new regulation.

What information is considered as personal data?

The GDPR defines personal data as "any information relating to an identified or identifiable individual". So, any information capable of directly identifying a person, or having been cross-linked with other data, will be considered as constituting personal data.

What are the GDPR’s key concepts?

Below are some of the key concepts that come with the new regulation. However, this is not an exhaustive list, and updates are expected in the future to the GDPR since this is the first major change to data protection regulations in more than 20 years. Consult your legal counsel for the most recent updates.

Territorial scope: The GDPR applies to all companies processing personal data of people residing in the EEA, regardless of the company’s location. The GDPR also applies to the processing of personal data of people residing in the EEA by a controller or processor not established in the EEA, where the activities relate to:

Offering goods or services (irrespective of whether payment is required).

The monitoring of behavior that takes place within the EEA.

Penalties and fines: Organizations violating the GDPR can be fined up to 4% of annual global revenue or 20 Million Euros (whichever is greater). This is the maximum fine that can be imposed for not having sufficient customer consent to process data or by violating the core privacy concepts.

Consent: Consent requirements are strong. You must use terms that are easily understood and not use long, illegible terms and conditions full of complex legal words and expressions. The request for consent must be given in clear and unambiguous form, and organizations may need to adopt new consent policies such as:

Consent must be specific to distinct purposes. Consent cannot be implied or inferred for multiple purposes.

Pre-checked boxes do not constitute sufficient consent.

Organizations processing personal data of children under the age of 16 (member-states may independently drop the age of consent to 13) must acquire consent from the child’s parent.

The opt-out process must be as simple and straightforward as the opt-in process.

Organizations must provide documented and verifiable consent at any time. It is essential that the data controller keep track of:

The mechanisms used to obtain consent (e.g. online forms, or an affirmative opt-in via a cookie).

The purpose of using the data.

The opt-in date.

People residing in the EEA gain new rights; the most important being:

The right to be forgotten: Organizations must have means in place to locate and delete all of an individual’s data upon request, including in circumstances where a controller may have passed the data downstream to a secondary controller or processor.

The right to object: Individuals can reject how an organization uses their data for specific purposes, such as marketing profiling.

The right to rectification: Individuals can have incomplete or incorrect data completed or corrected.

The right of access: Individuals have the right to know what and how specific data elements are being collected and processed.

The right to data portability: Individuals have the right to transmit their data (or request it to be done on their behalf) from one organization to another, without any restrictions or undue delay.

Personal data breach reporting: Personal data breaches with the data controller are to be reported to the local Supervisory Authority (established within each EEA member state) within 72 hours. If the personal data breach also represents a high risk to the individual, the controller must communicate the personal data breach to the individual immediately. If the data breach is with the data processor, the data processor must inform the data controller immediately.

Privacy notices: Organizations must transparently state their approach to personal data protection in a privacy notice. People also have the right to receive ‘fair and lawful’ information about the processing of their data in the privacy notice, among other things:

Contact details of the data controller and the Data Protection Officer.

How the data is used (e.g. details of data transfers outside of the EEA).

Purpose of the data: This must be as specific and minimized as possible (purpose limitation and data minimization).

How long the data is retained: This period must be as short as possible (storage limitation).

Expanding thedefinitions of personal and sensitive data: The definitions of personal and sensitive data have been expanded and include genetic and biometric data. The GDPR enforces a strict definition of personal data as “any information that could be used, on its own or in conjunction with other data, to identify an individual.”

Privacy by default and design: Organizations must consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.

Data controller and data processor: The data controller and data processor are responsible for implementing appropriate technical and organizational measures to ensure and to demonstrate that its processing activities are compliant with the requirements of the GDPR. The data controller must also ensure each data processor it works with has the appropriate measures in place.

What effect will GDPR have on deliverability?

Deliverability is influenced by hundreds of factors related to your sending reputation, including the quality of your subscribers. With the increased focus on unambiguous, informed consent that GDPR has for organizations sending to people residing in the EEA, deliverability may improve at some European mailbox providers.

The more you send email to people who give express consent to receive your email, the more likely they will engage with your email. Since engagement is a factor used by many mailbox providers when filtering your email, higher engagement rates (and fewer complaints) could lead to higher inbox placement at some European mailbox providers.

Where can you go for additional information about the General Data Protection Regulation (GDPR)?